b'      United States Department of Agriculture\n\n\n\n\nOffice of Inspector General\nSecurity Review of the National\nAgricultural Statistics Service\'s\nLockup Procedures\n\n\n\n\n                                       26501-0001-12\n                                       February 2014\n\x0c                                        Security Review of National Agricultural Statistics\n                                                   Service\'s Lockup Procedures\n\n                                                     Audit Report 26501-0001-12\n\nWhat Were OIG\xe2\x80\x99s\nObjectives\nWe conducted an audit to\nperform a security assessment\nof the NASS lockup process\nand procedures to determine if\nphysical, electronic, and other    OIG audited the effectiveness of NASS\xe2\x80\x99\nprotection measures were\nproperly implemented to            lockup procedures for securing market\nassure sensitive market data       sensitive commodity data before their\nwere secured and released,         official release.\naccording to established\ncriteria.\n                                   What OIG Found\nWhat OIG Reviewed\nNASS maintains specific            The Office of Inspector General (OIG) found that the National\nprocedures for gathering and       Agricultural Statistics Service\xe2\x80\x99s (NASS) management needs to\nsecuring commodity data,           improve the security of its sensitive commodity market data and other\ncompiling them into                information technology (IT) resources. We found that NASS did not\nagricultural reports, and          adequately enforce critical procedures and physical security measures\npreparing and releasing the        meant to protect the security of NASS information. Notably, although\nreports in a secured area\xe2\x80\x94         banned from lockup, OIG was able to bring a cell phone into lockup\nknown as lockup.                   and witnessed a reporter using an iPad during lockup. NASS had also\n                                   not taken mitigating actions to address outstanding IT vulnerabilities,\nWhat OIG Recommends                thereby putting NASS\xe2\x80\x99 systems at risk. As a result, sensitive\n                                   information could be compromised or leaked before its official\nOIG recommended that NASS          release, which could adversely affect equitable trading in commodity\ndevelop, implement, and            markets. OIG notes that NASS experienced data release issues and\ndocument periodic internal         has not yet remedied the underlying causes.\nreviews for the entire lockup\nprocess, and submit the results    These issues occurred because NASS has not established a formal\nto an independent evaluator        process for effectively monitoring lockup, nor a systematic process\nfor follow-up. NASS should         for documenting and following up on recommendations. Managers\nalso take action to mitigate IT    also did not review lockup procedures for gaps, adequately oversee\nvulnerabilities; implement         contracted guards and equipment inventories, and were unaware of or\ncontrols to prevent data release   did not have resources to meet Federal security requirements. NASS\ndelays; improve the physical       stated that it has taken action to address the majority of the issues\nsecurity of lockup, IT             found, and management decision has been reached for 14 of the 17\nequipment, and server rooms;       recommendations.\nand take steps to further secure\nsensitive data.\n\x0c\x0c                          United States Department of Agriculture\n                                  Office of Inspector General\n                                   Washington, D.C. 20250\n\n\n\nDATE:         February 21, 2014\n\nAUDIT\nNUMBER:       26501-0001-12\n\nTO:           Cynthia Clark\n              Administrator\n              National Agricultural Statistics Service\n\nATTN:         Lisa A. Baldus\n              Director, Financial Management Division\n              Agricultural Research Service\n\nFROM:         Gil H. Harden\n              Assistant Inspector General for Audit\n\nSUBJECT:      Security Review of National Agricultural Statistics Service\xe2\x80\x99s Lockup Procedures\n\n\nThis report presents the results of the subject audit. Your written response, dated January 16,\n2014, is included in its entirety at the end of the report. Excerpts from your response and the\nOffice of Inspector General\xe2\x80\x99s (OIG) position are incorporated in the relevant sections of the\nreport. Based on your January 16, 2014, response and additional information received on\nJanuary 22, 2014, we were able to accept management decision on Recommendations 3-8 and\n10-17 in the report. To reach management decision on the remaining recommendations, please\nsee the relevant OIG Position sections in the audit report.\n\nIn accordance with Departmental Regulation 1720-1, please furnish a reply within 60 days,\ndescribing the corrective actions taken or planned, and timeframes for implementing the\nrecommendations for which management decisions have not been reached. Please note that the\nregulation requires management decision to be reached on all recommendations within 6 months\nfrom report issuance, and final action to be taken within 1 year of each management decision to\nprevent being listed in the Department\xe2\x80\x99s annual Agency Financial Report. For agencies other\nthan the Office of the Chief Financial Officer (OCFO), please follow your internal agency\nprocedures in forwarding final action correspondence to OCFO.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during our\naudit fieldwork and subsequent discussions. This report contains publically available\ninformation and will be posted in its entirety to our website (http://www.usda.gov/oig) in the\nnear future.\n\x0c\x0cTable of Contents\nBackground and Objectives ................................................................................ 1\nSection 1: NASS Lockup Management .............................................................. 3\nFinding 1: NASS Needs to Establish a Formal Review Process to Oversee\nSensitive Data and IT Operations ....................................................................... 3\n         Recommendation 1 .................................................................................... 7\n         Recommendation 2 .................................................................................... 7\n         Recommendation 3 .................................................................................... 8\n         Recommendation 4 .................................................................................... 8\n         Recommendation 5 .................................................................................... 8\nSection 2: Lockup Security ................................................................................. 9\nFinding 2: NASS Needs to Improve Lockup Security........................................ 9\n         Recommendation 6 ...................................................................................12\n         Recommendation 7 ...................................................................................12\n         Recommendation 8 ...................................................................................13\n         Recommendation 9 ...................................................................................13\n         Recommendation 10..................................................................................13\n         Recommendation 11..................................................................................14\n         Recommendation 12..................................................................................14\nFinding 3: NASS Needs to Mitigate IT Security Weaknesses to Prevent Data\nCompromise and Work Disruption .................................................................. 15\n         Recommendation 13..................................................................................17\n         Recommendation 14..................................................................................17\n         Recommendation 15..................................................................................18\n         Recommendation 16..................................................................................18\n         Recommendation 17..................................................................................19\nScope and Methodology ..................................................................................... 20\nAbbreviations ..................................................................................................... 21\nAgency\'s Response ............................................................................................. 23\n\x0c\x0cBackground\xc2\xa0and\xc2\xa0Objectives\xc2\xa0\nBackground\nThe National Agricultural Statistics Service (NASS) is responsible for providing timely,\naccurate, and useful statistics regarding U.S. agriculture. The Agricultural Statistics Board\n(ASB)1 is the subcomponent of NASS tasked with ensuring that the reports containing\nagricultural statistics are accurate, timely, and secure. NASS conducts hundreds of surveys each\nyear and prepares production forecasts and final estimates for numerous commodities, including\ncorn, wheat, cotton, soybeans, and oranges, as well as cattle and hog inventory estimates. Some\nof these are defined by Department Regulation as "speculative" because the estimates pertain to\nproducts traded on commodity markets.2 ASB uses a special process and secure facility called\n"lockup" to prevent the early release of this information. The lockup facility is located inside the\nDepartment of Agriculture\xe2\x80\x99s (USDA) South Building in Washington, D.C.\n\nPrior to lockup, NASS State statistical offices contact farmers and ranchers, using mail and\nphone calls, and record their information. NASS representatives are also dispatched to collect\nfield data in-person from random locations. Once State officials aggregate their estimates, the\ndata and comments for the speculative commodities are encrypted and transmitted to NASS\nheadquarters. The encrypted data are saved onto removable media, only to be decrypted in\nlockup, where NASS prepares its estimates.\n\nFor non-national security programs and information systems, agencies must follow National\nInstitute of Standards and Technology (NIST) standards and guidelines. NIST creates standards\nfor information technology (IT) that ensure Federal systems meet the best practices of IT\nindustry security, and produce a unified security framework. NIST standards state, for example,\nthat facilities housing Federal IT systems\xe2\x80\x99 hardware must be protected from unauthorized\nentrants.\n\nLockup consists of a locked room guarded by an officer stationed outside the restricted area;\nattendees are not allowed to bring cellular devices inside. Opaque vinyl shades with steel\nreinforcement are drawn over windows and sealed to prevent unauthorized observation. All\noffice telephones are disconnected, and computer systems are isolated from the "outside world"\nand secured. Lockup is also monitored to detect the presence of electronic transmissions.\nJournalists are allowed into lockup prior to the report release in order to develop articles about\nthe report, which are released simultaneously with the report itself. Once permitted staff and the\nmedia have entered lockup, they are prohibited from leaving the area or contacting anyone\noutside until the report has been officially released.\n\nThe reports that NASS produces are extremely market sensitive and contain major principal\neconomic indicators of the United States economy. For instance, NASS provides statistical data\nthat are included in the World Agricultural Supply and Demand Estimates (WASDE) report. An\n\n1\n  ASB prepares and issues the official national and State forecasts and estimates relating to crop production, stocks\nof agricultural commodities, animals and animal products, agricultural wage rates, and other subjects.\n2\n  Department Regulation 1042-042, Agricultural Statistics Board (May 29, 2009).\n\n                                                                           AUDIT REPORT 26501-0001-12                   1\n\x0cEconomic Research Service economist found when the WASDE report is released, it is\n\xe2\x80\x9cfollowed by an immediate reaction reflected in the opening future prices for each commodity.\xe2\x80\x9d3\n\nNASS has experienced incidents where its reports are not released in a synchronous manner with\npress articles.4 In 2011, three incidents involved the early release of press articles. Other times,\nNASS reports appeared on its official site later than the official release time, due to connectivity\nissues. NASS contracts with the National Information Technology Center (NITC) for servers\nthat disseminate reports to the public. According to NASS, NITC re-configured the servers in\n2012. NASS has since continued to experience connectivity issues.\n\nWhen press articles were released earlier than the official release time in June 2011, NASS\nexecutive management staff requested the Office of the Chief Information Officer\n(OCIO)/Agriculture Security Operations Center (ASOC) to perform an in-depth, security-\nfocused analysis and investigation of the occurrences.5 This audit provides additional support to\nthe OCIO/ASOC review by examining how effective NASS\xe2\x80\x99 lockup policies and procedures are\nat protecting the information from the time the estimates are received at NASS headquarters to\nthe time the report is authorized to be released.\n\nObjectives\nWe conducted an audit to perform a security assessment of the NASS lockup process and\nprocedures to determine if physical, electronic, and other protection measures were properly\nimplemented to assure sensitive market data were secured and released, according to established\ncriteria.\n\n\n\n\n3\n  Quantifying the WASDE Announcement Effect, Michael K. Adjemian, Oxford University Press, 2012.\n4\n  The reports that experienced release issues were: Quarterly Hogs and Pigs and Peanut Prices \xe2\x80\x93 June 24, 2011;\nAcreage, Grain Stocks and Rice Stocks \xe2\x80\x93 June 30, 2011; Dairy Product Prices, Grain Stocks, Rice Stocks and Small\nGrains Summary \xe2\x80\x93 September 30, 2011.\n5\n  Agriculture Security Operations Center- Assessment and Findings of NASS Press Room Infrastructure (August 11,\n2011).\n\n2     AUDIT REPORT 26501-0001-12\n\x0cSection\xc2\xa01:\xc2\xa0\xc2\xa0NASS\xc2\xa0Lockup\xc2\xa0Management\xc2\xa0\nFinding 1: NASS Needs to Establish a Formal Review Process to Oversee\nSensitive Data and IT Operations\nWe found that NASS management is not taking adequate preventive measures to secure its\nsensitive commodity market data and other IT resources. Although Federal agencies are required\nto continually monitor the effectiveness of internal controls, NASS has records of only one\ndocumented review of lockup in 2011\xe2\x80\x94which examined a limited portion of the data release\nprocess\xe2\x80\x94and has not yet implemented all of the review\xe2\x80\x99s recommendations. During our audit,\nwe also found over 4,800 vulnerabilities on 899 devices across NASS\xe2\x80\x99 network, including\nsystems in lockup, which NASS was not taking action on.6,7 These issues occurred because\nNASS has not established a formal internal review process for lockup procedures, nor a\nsystematic process for documenting and following up on review results. Also, no one person or\ngroup within the ASB is tasked with consistently following up on and addressing identified\nproblems. Because they had performed no such reviews, NASS management incorrectly\nbelieved that the data in lockup were adequately secured. We found that existing lockup security\nprocedures were not being followed\xe2\x80\x94for instance, lockup entrants were able to easily carry cell\nphones inside (see Finding 2)\xe2\x80\x94as well as gaps in procedures for critical areas, such as guard\nmonitoring duties (see Finding 2) and security of IT equipment (see Finding 3). Data release\ndelays have also taken place, which could adversely affect equitable trading in the commodity\nmarkets; the cause of the delays remains unresolved. The high number of vulnerabilities on\nNASS\' network devices puts all NASS systems at risk.\n\nThe Office of Management and Budget (OMB) requires agencies to continuously monitor the\neffectiveness of internal controls and conduct periodic reviews. 8 Agencies should have a\nsystematic process to address deficiencies in internal controls. OMB also requires agencies to\nprepare plans of action and milestones (POA&M) for identified IT security weaknesses,9 and\nNASS procedures10 require that high and medium vulnerabilities be mitigated within 2 weeks\nand low vulnerabilities within 30 days. 11 Further, OMB requires that statistical agencies ensure\n\n\n6\n   Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that\ncould be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of\nthe system\xe2\x80\x99s security policy. We scanned NASS\xe2\x80\x99 system using a commercially available scanning tool.\n7\n   The 4,858 vulnerabilities were made up of 35 critical, 1,805 high, and 3,018 medium vulnerabilities. A critical\nvulnerability is malicious in nature and will result in the compromise of the system if not acted upon immediately.\nA high vulnerability, if exploited, will result in the compromise of the entire system. A medium vulnerability, if\nexploited, will result in the partial compromise of a system; the attacker will gain access, but it will be limited.\n8\n  OMB Circular No. A-123, Management\xe2\x80\x99s Responsibility for Internal Control (December 21, 2004).\n9\n  OMB Memorandum 04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act\n(August 23, 2004).\n10\n   Security Policy Directive-01, Vulnerability Assessment Scans (May 5, 2011).\n11\n   A POA&M is a tool that identifies tasks needing to be accomplished to assist agencies in identifying, assessing,\nprioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and\nsystems. It details resources required to accomplish the elements of the plan, milestones in meeting the task, and\nscheduled completion dates for the milestones. The goal of a POA&M should be to reduce the risk of the weakness\nidentified.\n\n                                                                           AUDIT REPORT 26501-0001-12                 3\n\x0call users have equitable and timely access to data disseminated to the public. 12 A NASS\ndocument explaining statistical procedures states that anyone having early access to sensitive\ninformation would have an obvious advantage in trading on the commodities market, and equal,\nsimultaneous public access to data for all is a hallmark of NASS reports.13\n\nA Federal Reserve Bank of Kansas City study on agricultural commodity market volatility\nmentioned the delays as well, stating that anecdotal evidence suggests that individuals attempting\nto download reports precisely when they are released have faced significant delays.14 It suggests\nthe effect this may have had on the markets, stating that, \xe2\x80\x9cThus, higher volatility may have\npersisted\xe2\x80\xa6 if some groups of traders, wishing to place a trade only after accessing WASDE, are\nunable to access the information at the same time as others with faster access.\xe2\x80\x9d This study also\nfound a spike in price volatility \xe2\x80\x9cthe instant the reports are released,\xe2\x80\x9d with the highest amounts of\nvolatility occurring in the first 5 minutes. This brief period of high volatility can affect risk\nmanagement strategies, creating an environment where a very short delay in accessing\ninformation has a large impact on traders.\n\nIn 2011, NASS experienced three incidents during which press articles were released before the\nauthorized time. The NASS reports are supposed to be released simultaneously by media\nsources and on NASS\xe2\x80\x99 official website. In each case, press articles written inside of lockup were\nreleased early. Normally, journalists write articles while in lockup and upload them into a queue,\nand NASS controls a switch that allows all articles to be released simultaneously at the official\ntime. In the first instance, the press articles were not held back in a queue, but published as soon\nas they were uploaded. One article was sent as early as 14 minutes before the official data\nrelease time. The second time, anticipating that a similar problem could occur, NASS told\nreporters not to queue their articles until 2 minutes before release time. When the reporters\nuploaded articles into the queue, the switch again allowed the reports to be published early. A\nthird early release, of 25 seconds, occurred in September because of human error when someone\naccidently manually released the data. In each circumstance, a trader watching the NASS\nwebsite\xe2\x80\x94and not the media sources that prematurely released the articles\xe2\x80\x94would not have had\naccess to the commodity statistics as early as others.\n\nTo help remedy this issue, NASS requested that OCIO/ASOC review its data release process.\nThis was a technology-related review of potential issues in the press room area in lockup. The\nAugust 2011 external review determined that an equipment malfunction was the cause of the\nincidents, specifically the switch that isolates NASS\xe2\x80\x99 network during lockup. Since the switch\nwas replaced after the OCIO/ASOC report, no other switch-related issues have been detected.\nBesides recommending replacement of the malfunctioning equipment, the report also called for\nother security enhancements to NASS\' system. The report contained six recommendations.\n\n\n\n\n12\n   OMB Federal Register, Part V, Statistical Policy Directive No. 4: Release and Dissemination of Statistical\nProducts Produced by Federal Statistical Agencies (March 7, 2008).\n13\n   National Agricultural Statistics Service. About NASS. ONLINE (December 2012).\nhttp://www.nass.usda.gov/About_NASS/ASB_and_Lockup/Lockup_QA.pdf [July 2013].\n14\n   Quantifying the WASDE Announcement Effect, Michael K. Adjemian, Oxford University Press, 2012.\n\n4     AUDIT REPORT 26501-0001-12\n\x0cNASS has taken action to address four of the recommendations, and two remain outstanding.15\nWhile agencies have the flexibility to decide the best and most practical actions to address\nvulnerabilities, at a minimum, NASS should have developed OMB-required POA&Ms for all of\nthe recommendations, as they dealt with IT security weaknesses. NASS did not create POA&Ms\nfor any of the six recommendations. The POA&Ms would have detailed whether NASS\naccepted the recommendations, the reasoning behind its actions, and the eventual result\xe2\x80\x94which\nis especially important for recommendations that an agency does not implement. NASS officials\nincorrectly believed that ASOC\xe2\x80\x99s review did not require recommendations to be tracked by\nPOA&Ms.\n\nDuring our audit fieldwork, we found that data dissemination problems continued to occur in\nlockup, albeit under different circumstances. During the March 2013 lockup session, we\nobserved a delay of 4 minutes in the release of a report to the public, due to connectivity issues.\nAfter additional discussions with NASS, we discovered that this has been and remains an\nongoing issue; and some reports have not been uploaded timely to NASS\xe2\x80\x99 website. We observed\nthat data from news organizations were not delayed, allowing anyone who subscribes to their\nservices to have access to the report information before others checking NASS\xe2\x80\x99 website,\nresulting in inequality among users of NASS estimates. Since markets can have an immediate\nreaction to the reports, this reinforces the need for timely dissemination to all members of the\npublic\xe2\x80\x94not just those with news organization subscriptions.16\n\nNASS contracts with the NITC for servers that disseminate reports to the public. According to\nNASS, NITC re-configured the servers in 2012, and NASS continues to experience connectivity\nissues. NASS stated that the delay occurred because NITC had changed the authentication\nrequirements for NASS servers, which interrupted the connection and did not allow the report to\nbe uploaded timely, thus, the report was unavailable to the public timely.\n\nWe found the agreement between NITC and NASS for server management was generic and\nlacked sufficient roles and responsibilities, as well as any formal recourse for addressing\nperformance issues, such as penalties or other methods of enforcement. NASS is taking action\nby reviewing the agreement with NITC in order to determine how and what can be strengthened.\nHowever, given the length of time this issue has been occurring\xe2\x80\x94almost a year\xe2\x80\x94we believe that\nNASS should intensify its efforts to permanently solve the problem.\n\nNASS did try to respond to the issue by creating a manual process for releasing the report that\nbypasses NITC servers, but the process involves opening an internet connection for one\ncomputer in lockup 5 minutes before the official release time. With an open internet connection\nprior to the official release, there is a risk that the report may be released early, or people inside\nthe lockup may misuse the early internet connection. In the first live use of the manual process,\n\n\n15\n   The two recommendations involved (1) installing a programmable switch that can facilitate data gathering, and (2)\nimplementing best practices on the news agencies\xe2\x80\x99 workstations and infrastructure. When we asked them why they\nhad not acted on these issues, NASS officials stated they had not found a feasible way to maintain news agencies\'\nproprietary network independence while implementing the second recommendation. NASS officials also stated that\nthey had installed two-layer manual switches to enhance security, but had not installed the programmable switch\ntype that the recommendation asked for.\n16\n   Quantifying the WASDE Announcement Effect, Michael K. Adjemian, Oxford University Press, 2012.\n\n                                                                         AUDIT REPORT 26501-0001-12              5\n\x0cthe report was available to the public on NASS\' site 7 seconds after the official release time. We\nnote that this is a temporary and manual solution, and there is still no guarantee that the reports\nwill be released on time. This manual process creates an opportunity for the early release of\nreports.\n\nWe also identified other long-term challenges that NASS has yet to adequately remedy.\nAlthough NASS consistently performs monthly security scans of its network, it is not\nremediating the identified IT vulnerabilities in a timely manner. The scans we performed while\nconducting this audit found 4,858 critical, high, and medium vulnerabilities on 899 devices on\nNASS\' network\xe2\x80\x94 which could result in the compromise of the system, if not acted upon\nimmediately.\n\nNASS scans of the lockup server indicated there were 3 high and 11 medium vulnerabilities that\nexisted for at least 6 months. We note that NASS did not create any POA&Ms to resolve these\nvulnerabilities once they were detected\xe2\x80\x94as required by NIST, the Department, and NASS\nprocedures. Without creating a POA&M in the Cyber Security Assessment and Management\n(CSAM)17 system for each vulnerability, NASS was unable to track the progress of completion.\nWhen we spoke to NASS officials about this issue, they said they are establishing a group to\naddress these vulnerabilities, and have since created one POA&M for all monthly scan results, in\norder to address critical, high, and medium vulnerabilities.\n\nWe believe that many of the issues identified in our field work\xe2\x80\x94including our ability to send\ntext messages from lockup (as described in Finding 2)\xe2\x80\x94could have been discovered and\naddressed by a formal, systematic, periodic review process. Without a periodic review of\nimplemented NASS lockup procedures, ASB cannot adequately perform its oversight duties and\nproactively mitigate weaknesses that could have a major impact on equitable trading during\nperiods of high volatility just before and after release. NASS officials have stated they are\ncurrently forming a designated internal review group that would be able to take on such a\nproject. We agree with NASS\' action and encourage officials to assemble this group in a timely\nmanner.\n\nThe current NASS report release methods do not allow all users equitable and timely access to\npublic reports, which puts NASS\' core mission at risk. NASS should make efforts to ensure that\nthe findings of all reviews are properly tracked and implemented\xe2\x80\x94and IT vulnerabilities are\npromptly mitigated. A formal internal review process that periodically tests the effectiveness of\nthe lockup procedures, with independent oversight, would help NASS spot security weaknesses\nbefore they occur. The independent oversight should report to someone with the authority to\nexecute changes identified during the internal reviews, such as the Under Secretary for Research,\n\n\n17\n   CSAM is a comprehensive system developed by the Department of Justice, which can facilitate achieving Federal\nInformation Security Management Act (FISMA) compliance. CSAM provides a vehicle for the Department,\nagencies, system owners, and security staff to: (1) manage system inventory, interfaces, and related system security\nthreats and risks; (2) enter system security data into a single repository to ensure all system security factors are\nadequately addressed; (3) prepare annual system security documents, such as security plans, risk analyses, and\ninternal security control assessments; and (4) generate custom and predefined system security status reports to\neffectively and efficiently monitor each agency\xe2\x80\x99s security posture and FISMA compliance. This includes agency-\nowned systems as well as those operated by contractors on the agency\xe2\x80\x99s behalf.\n\n6     AUDIT REPORT 26501-0001-12\n\x0cEducation and Economics (REE). Also, NASS should take actions to address report release\ndelays and mitigate known IT vulnerabilities.\n\nRecommendation 1\nEstablish a group within NASS specifically responsible for internal reviews, and develop,\nimplement, and document periodic, internal reviews of the entire lockup process. The review\nshould involve documenting recommended actions to correct any identified issues. As part of\nthe review, include the results of any audits, external reviews, or other types of internal reviews.\n\nAgency Response\nIn the agency response dated January 16, 2014, NASS agreed with this recommendation and\nstated it will establish a group responsible for developing, implementing, conducting and\ndocumenting, on an annual basis, internal reviews of the entire lockup process by October 1 of\neach year, and the results of this review will be shared with an independent evaluator and\nintegrated with other evaluations.\n\nOIG Position\nWhile NASS agreed with the recommendation to establish a group responsible for conducting\ninternal reviews, we are unable to reach management decision based on NASS\xe2\x80\x99 agency response.\nTo reach management decision, NASS needs to provide a date by which it will establish this\ngroup.\n\nRecommendation 2\nOnce started, submit the results of the internal review process to an independent evaluator not\naffiliated with lockup, who is selected by the NASS administrator. The evaluator will monitor,\ntrack, and report the results of corrective actions back to the Under Secretary for REE.\n\nAgency Response\nNASS agreed with this recommendation and stated it will employ an independent evaluator to\nmonitor, track and report results of corrective actions of the entire lockup process. NASS further\nstated that the results of this independent evaluation will be shared with REE\xe2\x80\x99s Under Secretary\nbi-annually by October 1 of odd-numbered years.\n\nOIG Position\nWe are unable to reach management decision based on NASS\xe2\x80\x99 response. To reach management\ndecision, NASS needs to provide an estimated date for when the independent evaluator will be in\nplace. Additionally, results from each review conducted should be reported to REE\xe2\x80\x99s Under\nSecretary.\n\n\n\n\n                                                                AUDIT REPORT 26501-0001-12         7\n\x0cRecommendation 3\nCreate POA&Ms to track any identified vulnerabilities or recommendations from internal and\nexternal reviews. Document the reasons for any unresolved recommendations or weaknesses.\n\nAgency Response\nNASS agreed with this recommendation and is currently conducting POA&Ms as part of its\ncorrective action plan and has incorporated these into USDA\xe2\x80\x99s CSAM System.\n\nOIG Position\nOIG reviewed these POA&Ms and found that they have an estimated completion date of\nApril 30, 2014. We accept NASS\xe2\x80\x99 management decision for this recommendation.\n\nRecommendation 4\nImmediately take action to prevent report release delays. As part of the process to eliminate the\ndelays, create a long-term plan to prevent their reoccurrence that includes specific deadlines and\nthen implement the solution.\n\nAgency Response\nNASS agreed with this recommendation and stated it is and has taken several actions to\nminimize report release delays and it will have a plan in place by March 15, 2014, and will\nincorporate continual analysis and assessment as part of the internal review process.\n\nOIG Position\nWe accept NASS\xe2\x80\x99 management decision for this recommendation.\n\nRecommendation 5\nCreate a service level agreement with NITC to include specific responsibilities and minimum\nperformance standards.\n\nAgency Response\nNASS agreed with this recommendation and stated it will update its service level agreement with\nNITC to include specific responsibilities and minimum performance standards by\nOctober 1, 2014.\n\nOIG Position\nWe accept NASS\xe2\x80\x99 management decision for this recommendation.\n\n\n\n8    AUDIT REPORT 26501-0001-12\n\x0cSection\xc2\xa02:\xc2\xa0\xc2\xa0Lockup\xc2\xa0Security\xc2\xa0\nFinding 2: NASS Needs to Improve Lockup Security\n\nNASS is not enforcing critical lockup procedures and physical security measures meant to\nprotect the security of NASS information. Specifically, contrary to NASS procedures, OIG was\nable to bring a cell phone into the lockup area and witnessed a reporter in lockup using a wireless\niPad, which may also have had cellular capabilities. Also, NASS did not ensure that its staff and\ncontractors followed proper security measures, and had insufficiently documented procedures for\nsome aspects of lockup security, such as guard duties. Finally, managers did not maintain proper\nkey card access and confidentiality records for current, retired, and separated employees. This\noccurred because managers did not review the lockup and separated lockemployee procedures\nfor gaps, and did not adequately monitor the contracted guards. Although cameras are in place at\nthe entrance of lockup, lockup procedures only require the cameras to be checked periodically to\nensure the system is operating. In addition, guards need additional training to effectively\nperform their lockup duties. As a result of these security weaknesses, sensitive market\ninformation could be compromised or leaked before the official release of data, which could\nadversely affect NASS\' mission and equitable trading in the commodity markets.\n\nNASS ASB Lockup Procedures require NASS to take specific security measures to ensure the\nintegrity of lockup, which we found were not always followed. The particular issues are detailed\nbelow:\n\n       Prohibited Devices\n\n       NASS\xe2\x80\x99 procedures require it to (1) prevent wireless devices from entering lockup,\n       (2) detect Wi-Fi and cellular transmissions within the confines of lockup spaces, and\n       (3) require visitors to declare that they do not have any wireless devices when entering\n       lockup. However, on two different occasions, OIG was able to bring a cell phone into\n       lockup with minimal effort to conceal it (inside a pocket). We were able to use the phone\n       to send two text messages, both of which went undetected by NASS. Though NASS uses\n       software to detect wireless equipment within the area, the software, due to technological\n       restrictions, is unable to accurately identify the location of a cellular signal. For instance,\n       someone could be using a cellular phone on the floor just above lockup, and the software\n       will still flag it. Therefore, NASS staff cannot be certain when and if any cellular activity\n       is occurring in lockup, as the software continually detects signals. When we sent the text\n       messages, a NASS employee was observing the software and did not detect our text\n       message being sent. NASS officials were aware of the software\'s shortcomings, but said\n       that there is no other software available to replace it. Without effective software in\n       place, physical measures for preventing cellular devices from entering lockup take on an\n       even greater importance.\n\n       Additionally, OIG observed a reporter in the press room using a wireless iPad, which\n       may have had cellular capabilities. All who enter lockup are required to sign in and\n       indicate that they are not currently in possession of a cell phone, laptop, or other wireless\n\n\n                                                                AUDIT REPORT 26501-0001-12          9\n\x0c     device. We checked the lockup records and found that this reporter selected the \xe2\x80\x9cno\xe2\x80\x9d\n     checkbox specifying that he did not have any such devices.\n\n     Also, while procedures state a NASS staff member is to be in the press room at all times\n     monitoring the press members during lockup; we found that the person did little to\n     monitor the press prior to the official release. Later, OIG notified NASS of what we had\n     observed and NASS had to go back and look at security footage to verify our observation.\n     NASS then suspended the news organization from entering lockup for a specified time\n     period.\n\n     Guard Duties\n\n     NASS procedures state that the guards are assigned to observe the area outside of lockup\n     and to control the movement of people and materials into the lockup area. They are also\n     responsible for reminding all personnel to leave all wireless devices in a locker prior to\n     entering lockup, checking passes of people who enter, and preventing anyone from\n     leaving lockup before the release time. The guards are contracted Federal Protective\n     Service (FPS) officers. NASS\xe2\x80\x99 contract with FPS is a one-page document that details\n     payment amounts and the location of lockup, and only states that guards will, \xe2\x80\x9cprovide\n     protective services for [fiscal year] FY 2013 NASS \'Crop Report\' Lockups. Officers\n     needed to admit authorized personnel to lockup area and prevent early release of official\n     estimates.\xe2\x80\x9d It does not include details on the expectations for the guards\xe2\x80\x99 services and\n     formal ways to address any performance issues.\n\n     Due to the nature of the contract, NASS does not know who FPS will assign prior to\n     lockup, or if the specific guard has worked a prior NASS lockup. While guards are\n     provided with a set of written procedures, we found that they were not always followed\n     and did not sufficiently cover all duties. Also, the guards were not provided adequate\n     training on lockup procedures or monitored by NASS personnel to ensure they followed\n     them.\n\n     When OIG auditors entered lockup using expired passes, the security guard allowed us\n     access without collecting our passes. We then used these expired passes to enter a\n     subsequent month\xe2\x80\x99s lockup; this also went unnoticed by the guard. The guard also did\n     not verify our names to our security badges. While NASS stated that this was a required\n     procedure for guards, this action was not documented in the instructions given to the FPS\n     officers. Instead, NASS said they gave instructions verbally. We also observed the\n     guards occasionally have a shift change during lockups; when this occurs, NASS needs to\n     have established procedures that can stand alone and clearly outline the guard\xe2\x80\x99s duties,\n     without any verbal instructions from NASS.\n\n     NASS procedures require that, upon entering lockup, all persons sign in. However, we\n     found not all persons did so. The sign-in sheet was on a podium just inside of lockup, but\n     was easily missed by visitors because no one provided direction to sign in or verified that\n     everyone had signed in. If an accurate record is not kept, NASS will not have a record of\n\n\n10   AUDIT REPORT 26501-0001-12\n\x0c        all individuals present in the event of an emergency, or be able to hold those individuals\n        accountable in the event of a security breach.\n\n        Confidentiality Forms\n\n        NASS procedures require all employees who enter lockup to sign confidentiality\n        agreement forms (ADM-004) on an annual basis. We reviewed the NASS employees\n        who signed into two lockup sessions in March 2013 and found that out of the 41\n        employees, only 3 had current forms signed within the past year. This occurred because\n        supervisors are not maintaining and reviewing employee records to ensure that the form\n        is signed annually by applicable employees.\n\n        Key Card Access\n\n        NIST requires organizations to disable and remove accounts for terminated or transferred\n        users.18 We found that NASS does not have an accurate database of current key card\n        holders for the lockup area. Specifically, we found 4 individuals on the lockup access list\n        that NASS was not able to identify as current NASS employees or other authorized\n        persons, and 38 separated employees remained on the list. This occurred because NASS\n        officials did not have a documented process for removing a terminated employee from\n        the card reader access system, and were not performing reconciliations between current\n        employee lists and the list of key card holders. NASS recently implemented a new\n        internal process to administer badges, and officials stated that they did not have the time\n        or resources to deactivate badges from separated employees.\n\n        NASS has a separation checklist used to document that the USDA photo identification\n        (ID) card and lockup pass have been collected and destroyed before the employee leaves\n        NASS. However, we found that this form is not being used regularly. We non-\n        statistically sampled five separated employees and found that NASS could only provide\n        two separation checklists of the five requested. A NASS employee who maintains the\n        key card access database stated that there were no controls in place to ensure separated\n        employees were consistently removed from the database. As a result, unauthorized and\n        terminated employees could still gain access to restricted areas.\n\n        Disaster Recovery\n\n        NIST requires agencies to develop and test a contingency plan for an information system\n        disruption. Although NASS has a disaster recovery plan and emergency procedures in\n        place, we were not able to discern all steps for emergency procedures within lockup and\n        had to speak with NASS officials to clarify. Therefore, we are concerned that even with\n        this plan, NASS employees would be unaware of specific emergency procedures in the\n        event of a disaster.\n\n\n\n18\n  NIST SP800-53 Rev. 3, Recommended Security Controls for Federal Information Systems and Organizations\n(August 2009).\n\n                                                                  AUDIT REPORT 26501-0001-12              11\n\x0cNASS needs to strengthen its physical security measures, and timely and accurately update its\nemployee files and key card access database. As NASS works to establish its new internal\nmonitoring group, officials should take the opportunity to strengthen procedures for: physical\nsecurity, lockup entry, tracking and monitoring employee lockup access, and disaster planning.\nThese actions, when done in conjunction with the formal internal reviews recommended in\nFinding 1, will serve to reduce the possibility of serious information breaches.\n\nRecommendation 6\nImmediately implement additional short-term procedures to prevent wireless and cellular devices\nwithin lockup. Also, research and implement a permanent solution to prevent cellular activity\nwithin lockup.\n\nAgency Response\nNASS agreed with this recommendation and stated it has purchased, and with each lockup is\nnow using, an electronic screening device that all lockup entrants must pass through to prevent\nwireless and cellular devices within lockup. The response further stated that NASS submitted a\nwaiver request to the National Telecommunications & Information Administration in September\n2013 to allow cellular blocking within the lockup area. This request was denied. NASS stated it\nwill continue to investigate mitigation strategies for limiting cellular access and that this review\nwill be incorporated into the annual review process. Additional correspondence received from\nNASS on January 22, 2014 stated that the electronic screening device was implemented on\nNovember 8, 2013. This device will screen for cellular and wireless devices.\n\nOIG Position\nWe accept NASS\xe2\x80\x99 management decision for this recommendation.\n\nRecommendation 7\nRevise the current FPS contract to include detailed guard responsibilities, in accordance with\nNASS procedures, as well as recourse if performance is not adequate.\n\nAgency Response\nNASS agreed with this recommendation and stated that by June 1, 2014, it will revise the current\nFPS contract to include detailed guard responsibilities, in accordance with NASS procedures, as\nwell as recourse if performance is not adequate.\n\nOIG Position\nWe accept NASS\xe2\x80\x99 management decision on this recommendation.\n\n\n\n\n12     AUDIT REPORT 26501-0001-12\n\x0cRecommendation 8\nAs a part of NASS\xe2\x80\x99 new internal review group, include duties for monitoring the work of guards\nto the group\xe2\x80\x99s responsibilities.\n\nAgency Response\nNASS stated it had instituted a procedure to co-locate a NASS employee with FPS personnel to\nensure duties are carried out in accordance with contractual agreements, and further stated that it\nwill continue to enhance these procedures and monitor FPS personnel when a new contract is\nsigned. Additional correspondence received from NASS on January 22, 2014, stated that it\nstarted co-locating NASS staff with FPS officers as of June 28, 2013.\n\nOIG Position\n\nWe accept NASS\xe2\x80\x99 management decision on this recommendation.\n\nRecommendation 9\nAs part of a formal, periodic review process for lockup, validate that confidentiality forms are\nsigned annually by employees and contractors involved in lockup.\n\nAgency Response\nNASS stated that it will implement a process to ensure NASS employees and contractors update\nand sign confidentiality forms. This process will coincide with the annual performance review\nprocess.\n\nOIG Position\nWe are unable to reach management decision based on NASS\xe2\x80\x99 response. In order to reach\nmanagement decision on this recommendation, NASS needs to validate confidentiality forms for\nall NASS employees and contractors involved in lockup and provide a date when validations will\nbegin.\n\nRecommendation 10\nDevelop procedures to remove terminated or retired employees from the key card access\ndatabase, and maintain accurate documentation of separation checklists.\n\nAgency Response\nNASS agreed with this recommendation and stated it has developed procedures and will\ncontinue to conduct monthly audits to assure that terminated or retired employees are removed\nfrom the key card access database and that accurate documentation of separation checklists is\n\n                                                             AUDIT REPORT 26501-0001-12            13\n\x0cmaintained. According to additional information received from NASS on January 22, 2014,\nNASS implemented new procedures on December 13, 2013.\n\nOIG Position\nWe accept NASS\xe2\x80\x99 management decision for this recommendation.\n\nRecommendation 11\nRevise lockup procedures to include more specific guidance on the steps to take in the event of a\ndisaster during lockup, and the locations that staff, press, and visitors will be moved to. Train\nNASS and media staff on disaster recovery procedures.\n\nAgency Response\nNASS agreed with this recommendation and stated it will revise lockup procedures by\nOctober 1, 2014, to include more specific guidance on the steps to take in the event of a disaster\nduring lockup, and the locations to which staff, press, and visitors will be moved, and will train\nits own staff and media representatives on disaster recovery procedures.\n\nOIG Position\nWe accept NASS\xe2\x80\x99 management decision on this recommendation.\n\nRecommendation 12\nStrengthen the FPS guards\' role to increase the level of lockup security, including requiring that\nthe guards maintain a sign-in sheet that records the time of entry into lockup. Also, add a step to\nthe guards\' procedures requiring them to verify that information on lockup entrants\' ID cards and\npasses match.\n\nAgency Response\n\nNASS agreed with this recommendation and stated that FPS guards have a revised protocol to\ncheck bags and identities. NASS has taken action to ensure that FPS guards have and follow\nupdated and clear security procedures in regards to identity checks and documentation. The\nresponse further stated that by June 1, 2014, NASS will update the statement of work for the FPS\nguards to increase the level of lockup security, in line with the recommendations.\n\nOIG Position\nWe accept NASS\xe2\x80\x99 management decision for this recommendation.\n\n\n\n\n14     AUDIT REPORT 26501-0001-12\n\x0cFinding 3: NASS Needs to Mitigate IT Security Weaknesses to Prevent Data\nCompromise and Work Disruption\nWe found that NASS had several unresolved IT security weaknesses: NASS officials (1) were\nunaware of physical security issues in IT facilities, (2) used live data in a system that had lost its\nauthorization,19 and (3) used sensitive data on a system that was not categorized at a \xe2\x80\x9chigh-\nimpact\xe2\x80\x9d level of security. NASS was unaware of some issues because it had not conducted a\nphysical controls review of the lockup server room. NASS officials said they were unaware of\nthe potential risk in using live data in a system that had not completed the assessment and\nauthorization process. Each of these problems, if exploited by outside attackers or unscrupulous\npersons, could impact NASS\xe2\x80\x99 operations and create a risk of compromised statistical data, and\ncompromise the lockup itself. For instance, due to inadequate physical security of an electrical\ncloset, the entire lockup area is at risk for losing power, which could affect report releases.\n\nNIST guidelines and Departmental regulations require agencies to implement specific security\nmeasures to ensure the integrity of physical infrastructure and systems. The issues we found are\ndescribed in detail below:\n\n        Physical IT Security\n\n        NIST requires that organizations maintain visitor access records and enforce physical\n        access restrictions to the facility where an information system resides.20 OIG visited the\n        server room within lockup where the switches and the ASB server are located. We\n        entered the server room on multiple occasions and were never asked to sign in upon\n        entering the room, and did not see any sign-in sheet available.21 In the event that the\n        server equipment was tampered with or changed, NASS would have no record of\n        individuals that could be responsible. When we spoke to them about this, NASS officials\n        were unaware of the visitor\'s log requirement. After we brought up the issue, NASS\n        implemented a mandatory server room visitor log.\n\n        NIST SP 800-53 and the Department also require organizations to develop and maintain\n        an inventory of their information systems.22 We found that NASS does not have an\n        accurate inventory listing of its server room equipment. NASS provided us a list of what\n        it believed was all the equipment in the server room. While all of the equipment listed\n        was present, we identified eight additional devices in the server room that were not\n        included on NASS\xe2\x80\x99 inventory. This occurred due to a lack of management oversight;\n        NASS staff said they simply forgot to include the other devices in their inventory.\n\n\n19\n   The Estimation and Publication (EP) system was authorized to operate until NASS made major changes to the\nsystem, at which point NASS did not report the major changes to the Department, nor did it test the proper controls.\nThis resulted in the loss of authorization for the system to operate.\n20\n   NIST SP800-53 Rev. 3, Recommended Security Controls for Federal Information Systems and Organizations\n(August 2009).\n21\n   Anyone not authorized to be in the server room needs to sign the log and document their reason for being in the\nserver room.\n22\n   DM 3545-002 USDA Information Systems Security Program (March 31, 2006) & DM 3565-001 Annual Security\nPlans for Information Technology (IT) Systems (February 17, 2005).\n\n                                                                       AUDIT REPORT 26501-0001-12                15\n\x0c        Without an accurate inventory, NASS is unaware of all the equipment connected to its\n        network, and therefore cannot monitor, maintain, and secure all equipment, or replace it\n        in the event of a disaster.\n\n        We also identified an unlocked, unsecured electrical closet that provides power to the\n        lockup area and server room. The electrical panel containing circuit switches was clearly\n        labeled in detail, and contained the main power switch for the entire lockup area. NIST\n        requires that power equipment and cabling for the information system be protected from\n        damage and destruction. The Department is responsible for the electrical closet and\n        ensuring it is locked. OIG spoke with the USDA building electrical engineer and\n        confirmed that the closet did contain the power for the lockup area and should not be\n        accessible. This occurred because NASS officials were unaware of the closet, its\n        location, and the security implications of leaving it unlocked. As a result, the lockup area\n        is at risk of power failure and disruption, which could result in a delay when releasing the\n        report. The Department has since locked the closet.\n\n        Estimation and Publication (EP) System\n\n        Departmental Regulation 3140-001 states that USDA\'s goal is to identify, protect, and\n        secure critical and sensitive USDA systems and data.23 As a component of EP, NASS\n        has developed a new system that collects and secures statistical information; however,\n        \xe2\x80\x9clive\xe2\x80\x9d encrypted speculative data were used to test the new system. Therefore, the\n        speculative data\xe2\x80\x94 which need to be kept confidential until their official release\xe2\x80\x94were\n        stored on a system that NASS had not yet received an authorization to operate. The\n        authorization process involves testing controls and ensuring a system is secure;\n        considering the high number of vulnerabilities we found on NASS\' authorized systems,\n        we are concerned about sensitive speculative data present on an unauthorized system.\n        We found 732 vulnerabilities when we scanned the network that contained the EP\n        system. NASS officials said they were unaware of the potential risk in using live data in\n        the test system.\n\n        Federal law requires organizations to categorize their information systems as low-impact,\n        moderate-impact, or high-impact, based on the security objectives of confidentiality,\n        integrity, and availability. 24 We found that NASS categorized the EP system, which\n        holds highly sensitive data, as moderate. A moderate system is not required to have all\n        the security controls tested that would be required for a system categorized as high.\n        Therefore, NASS is not testing the security controls for a system with market sensitive\n        data at the highest level.\n\n        The EP system holds sensitive information from States that, when aggregated, would be\n        considered speculative\xe2\x80\x94and therefore should be kept confidential and on a system with\n        high integrity, as per the NIST criteria for categorization. For instance, if unscrupulous\n\n23\n   USDA Departmental Regulation (DR) 3140-001, USDA Information Systems Security Policy (May 15, 1996).\n24\n  Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal\nInformation and Information Systems (February 2004).\n\n16      AUDIT REPORT 26501-0001-12\n\x0c         persons were able to access a crop estimate from a speculative State prior to the official\n         release, they would have information that might give them an unfair advantage in the\n         commodity market.\n\n         NASS explained that the EP system connects with NASS\xe2\x80\x99 General Support System\n         (GSS).25 If the EP system was categorized as a high impact system at all times, the\n         controls for the GSS\xe2\x80\x94and therefore NASS\xe2\x80\x99 entire network\xe2\x80\x94would need to be tested at\n         the \xe2\x80\x9chigh\xe2\x80\x9d level as well, which would be more costly. Still, we believe that such an\n         action is warranted, as sensitive data reside on EP at other times besides during lockup.\n         For example, States periodically input sensitive crop information into EP. Therefore,\n         NASS, in cooperation with the OCIO, needs to determine and implement the proper\n         categorization of EP. OCIO is responsible for validating that proper categorization\n         documentation and justification is accurate in CSAM.\n\nWe acknowledge that NASS has taken actions to address some of these IT issues, and believe\nthat it needs to do more to strengthen its IT security. Without the proper NIST physical and\nenvironmental controls in place, NASS is increasing the risk of compromising statistical data and\nlockup itself. In addition, NASS must ensure that sensitive information resides only on\nauthorized systems with the proper security categorization, and that equipment and power\nsources are adequately secured.\n\nRecommendation 13\nAs part of the internal review process in Recommendation 2, include a checklist for reviewers to\nexamine how NASS complies with NIST\xe2\x80\x99s Special Publication 800-53\'s physical and\nenvironmental controls.\n\nAgency Response\nNASS agreed with this recommendation and stated that as a part of the internal review process in\nRecommendation 2, NASS will, by October 1, 2014, include a checklist for reviewers to\nexamine how NASS complies with the physical and environmental controls in NIST\xe2\x80\x99s Special\nPublication 800-53.\n\nOIG Position\nWe accept NASS\xe2\x80\x99 management decision for this recommendation.\n\nRecommendation 14\nDevelop and implement procedures to verify that electrical equipment and server rooms are\nlocked at all times.\n\n\n25\n  A GSS is a collection of interconnected information resources supporting general IT services. A GSS normally\nincludes hardware, software, information, data, applications, communications, facilities, and people, and provides\nsupport for a variety of users and common applications.\n\n                                                                        AUDIT REPORT 26501-0001-12               17\n\x0cAgency Response\nIn its response dated, January 16, 2014, NASS agreed with this recommendation and stated that\nit has developed, is executing, and will continue to execute a pre-lockup checklist, which\nincludes verifying that electrical equipment and server rooms are locked at all times. In\nsubsequent correspondence, dated January 22, 2014, NASS stated that this checklist was\ncompleted and implemented January 1, 2014.\n\nOIG Position\nWe accept NASS\xe2\x80\x99 management decision for this recommendation.\n\nRecommendation 15\nConduct and maintain a comprehensive inventory of all equipment located within the lockup\nserver room.\n\nAgency Response\nNASS agreed with this recommendation and stated that it now maintains a comprehensive\ninventory of all equipment in the lockup server room. This inventory list will be checked against\nequipment in the room as part of the pre- lockup checklist. According to additional information\nreceived from NASS on January 22, 2014, NASS implemented the new pre-lockup checklist on\nJanuary 1, 2014.\n\nOIG Position\nWe accept NASS\xe2\x80\x99 management decision for this recommendation.\n\nRecommendation 16\nWhen testing a system, only use test data or data that have already been released.\n\nAgency Response\nNASS agreed with this recommendation and stated it only uses test data or data that have already\nbeen released when testing a system. NASS provided additional correspondence and\ninformation obtained on January 22, 2014, indicating that it formally requested this through its\nChange Control Board on January 21, 2014.\n\nOIG Position\nWe accept NASS\xe2\x80\x99 management decision for this recommendation.\n\n\n\n\n18     AUDIT REPORT 26501-0001-12\n\x0cRecommendation 17\nIn cooperation with the Department, determine and implement the appropriate security\ncategorization and system boundaries of the GSS and the EP System.\n\nAgency Response\nNASS agreed with this recommendation and stated by October 1, 2014, in cooperation with the\nDepartment, NASS will review the IT systems boundaries and make adjustments where\nnecessary as part of the assessment and accreditation process.\n\nOIG Position\nWe accept NASS\xe2\x80\x99 management decision for this recommendation.\n\n\n\n\n                                                          AUDIT REPORT 26501-0001-12      19\n\x0cScope\xc2\xa0and\xc2\xa0Methodology\xc2\xa0\nOur audit analyzed current NASS lockup procedures, covering the process of aggregating and\nsecuring commodity data, and compiling them into agricultural reports that are prepared and\nreleased using NASS\xe2\x80\x99 lockup process. We focused on determining if data used to create the\nreports are secured throughout the lockup process.\n\nWe conducted our audit fieldwork from February 2013 to August 2013. We visited NASS\nheadquarters in Washington, D.C.\n\nTo determine the security of NASS data, we performed the following steps:\n\n     \xc2\xb7   Interviewed NASS staff.\n     \xc2\xb7   Tested NASS\xe2\x80\x99 physical control environment prior to, during, and following lockup.\n     \xc2\xb7   Conducted scans of NASS\xe2\x80\x99 network to identify vulnerabilities.\n     \xc2\xb7   Analyzed past issues with data security during lockup, noted any ongoing issues, and\n         determined corrective actions taken.\n     \xc2\xb7   Reviewed the ASB system controls to determine if they are suitably designed, and if they\n         conform to the minimum security requirements mandated by NIST SP 800-53 r3,\n         Recommended Security Controls for Federal Information Systems and Organizations.\n     \xc2\xb7   Participated in and tested controls during three lockup sessions to determine if they\n         operated with sufficient effectiveness to provide reasonable assurance of data security.\n     \xc2\xb7   Followed up on a review of NASS conducted by OCIO/ASOC and reviewed the\n         recommendations to determine if they had been implemented.\n     \xc2\xb7   Obtained and reviewed current policies for lockup and verified whether they are\n         sufficient to secure sensitive data related to agricultural reports issued by NASS.\n     \xc2\xb7   Reviewed various Departmental Regulations and manuals related to IT security and\n         Governmentwide publications, such as NIST Special Publications, OMB Circulars, and\n         the Government Accountability Office Federal Information Systems Controls Audit\n         Manual, as guidelines for this review.\n\nWe used a commercially available scanning tool to evaluate IT security. We conducted this\naudit in accordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We believe the\nevidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\n\n\n\n20       AUDIT REPORT 26501-0001-12\n\x0cAbbreviations\xc2\xa0\nASB ...................................... Agricultural Statistics Board\nASOC ................................... Agriculture Security Operations Center\nCSAM................................... Cyber Security Assessment and Management\nEP ........................................ Estimation and Publication\nFPS ...................................... Federal Protective Service\nGSS ...................................... General Support System\nID ......................................... Identification\nIT .......................................... Information Technology\nNASS .................................... National Agricultural Statistics Service\nNIST ..................................... National Institute of Standards and Technology\nNITC .................................... National Information Technology Center\nOCIO .................................... Office of the Chief Information Officer\nOIG....................................... Office of Inspector General\nOMB ..................................... Office of Management and Budget\nPOA&M ............................... Plan of Action and Milestone\nREE ...................................... Research, Education and Economics\nUSDA ................................... Department of Agriculture\nWASDE ................................ World Agricultural Supply and Demand Estimates\n\n\n\n\n                                                                  AUDIT REPORT 26501-0001-12   21\n\x0c22   AUDIT REPORT 26501-0001-12\n\x0cAgency\'s\xc2\xa0Response\xc2\xa0\n\n\n\n\n                   USDA\xe2\x80\x99S\n          NATIONAL AGRICULTURAL\n            STATISTICS SERVICE\xe2\x80\x99S\n         RESPONSE TO AUDIT REPORT\n\n\n\n\n                        AUDIT REPORT 26501-0001-12   23\n\x0c\x0c                               United States Department of Agriculture\n\n                                 National Agricultural Statistics Service\n\n                                       Office of the Administrator \n\n\n\n\nJanuary 16, 2014\n\nTO: \t         Gil H. Harden\n              Assistant Inspector General for Audit\n\nFROM: \t       Cynthia Clark /s/ Cynthia Clark\n              Administrator\n              National Agricultural Statistics Service\n\nSUBJECT: \t    Security Review of the National Agricultural Statistics Service Lockup\n              Procedures, Audit 26501-0001-12\n\n\nThank you for the opportunity to comment on your final draft report. NASS appreciates your\nthorough and thoughtful report and takes your review and recommendations seriously. We are\ncommitted to implementing each of the recommendations and to the continuous improvement of\nour systems and procedures. Our responses identify these commitments and highlight actions we\nhave already taken that were not mentioned in the report.\n\nAs background, in 2011 NASS originally asked the Agriculture Security Operations Center\n(ASOC) and the Office of the Chief Information Officer to conduct an audit of the Lockup press\nroom following incidents during which news stories were inadvertently released out of Lockup\nbefore NASS released the official data. NASS sought to identify vulnerabilities and ways to\nimprove its Lockup security systems and processes.\n\nFollowing the ASOC review in 2011, NASS addressed recommendations in the report including:\n    \xef\x82\xb7 Installing new redundant switches in the press room to control network connectivity;\n    \xef\x82\xb7 Segregating the press room communication equipment into two cabinets \xe2\x80\x93 one containing\n       government equipment and the other containing news agency equipment;\n    \xef\x82\xb7 Adding cameras outside of all Lockup doors (they are monitored by the USDA command\n       center); and\n    \xef\x82\xb7 Installing lockers outside of Lockup to hold personal items prohibited in Lockup.\n\nThe Office of the Inspector General (OIG) conducted a subsequent audit of the broader Lockup\nprocess during 2013. This report documents the OIG\xe2\x80\x99s audit findings. NASS implemented many\nof the recommendations found in this report during the audit period and since its completion.\nWhile the OIG report does mention some actions NASS has already taken, we have completed\nactions on many more recommendations that are not documented in the report. During the exit\nconference, the auditors agreed noting that they could not include actions that they did not\nobserve during their visits or that occurred between their last visit and the report preparation.\n\nThe OIG\xe2\x80\x99s recommendations to improve Lockup procedures and the security of the press room\nfall into three primary categories: Lockup Management, Lockup Security, and IT Security.\nNASS is responding with actions it has taken in each of these areas.\n        Room 5041A-South Building \xc2\xb7 1400 Independence Avenue, SW \xc2\xb7 Washington, D.C. 20250-2001\n                       (202) 720-2707 \xc2\xb7 (202) 720-9013 FAX \xc2\xb7 www.nass.usda.gov\n\n                             USDA is an equal opportunity provider and employer.\n\x0cGil H. Harden\nAssistant Inspector General for Audit\n\n\n\n\nLOCKUP MANAGEMENT \xe2\x80\x93 Recommendations 1-5\n\nThe initial recommendations in this section are the foundation of OIG\xe2\x80\x99s final recommendations\nto assure long-term review and improvement of NASS Lockup management. NASS is\nestablishing an oversight group responsible for ongoing review of Lockup security procedures\nand practices, including establishing a more comprehensive set of standard operating procedures\n(SOPs) and consistently using plans of actions and milestones (POA&Ms). Each October, an\nannual report will be provided to an external evaluator. Until the oversight group is established,\npersonnel in charge of Lockup elements have established standard operating procedures and have\ntaken actions to implement recommendations in their areas of responsibility.\n\nIn the area of Lockup management the report mentions IT vulnerabilities. NASS took immediate\nand significant actions regarding the finding of 4,800 network vulnerabilities. In our first action,\nabout 3,900 vulnerabilities were either resolved or added to a POA&M. We have implemented a\nstricter vulnerability mitigation process to avoid future vulnerabilities. This will be reviewed by\nboth internal and external review groups.\n\nAfter the early release that occurred in 2011, NASS has taken multiple steps to prevent both\nearly release and report release delays. NASS is actively monitoring results and will incorporate\ncontinual analysis and assessment as part of the internal review process. This will include\nrevising our agreement with the National Information Technology Center (NITC) to include\nspecific responsibilities and minimum performance standards.\n\nOur responses to the five recommendations relating to NASS Lock-up management are:\n\n1. NASS will establish a group responsible for developing, implementing, conducting and\ndocumenting internal reviews of the entire Lockup process annually by October 1 of each year.\nThe results of this review will be shared with an independent evaluator and integrated with other\nevaluations.\n\n2. NASS will employ an independent evaluator as recommended to monitor, track and report\nresults of corrective actions of the entire Lockup process. Results of this independent evaluation\nwill be shared with the REE Undersecretary bi-annually by October 1 of odd numbered years.\n\n3. NASS is currently conducting POA&Ms as part of its corrective action plan and has\nincorporated these into the USDA Cyber Security Assessment and Management (CSAM)\nSystem.\n\n4. NASS is and has taken several actions to minimize report release delays. NASS will have a\nplan in place by March 15, 2014, and will incorporate continual analysis and assessment as part\nof the internal review process.\n\n5. NASS will update its service level agreement with NITC to include specific responsibilities\nand minimum performance standards by October 1, 2014.\n\n\n                                             Page 2 of 5\n\x0cGil H. Harden\nAssistant Inspector General for Audit\n\n\n\n\nLOCKUP SECURITY \xe2\x80\x93 Recommendations 6-12\n\nIn the past two years, NASS has focused on multiple efforts to prevent wireless and cellular\ndevices within Lockup. We have sought a permanent solution to actively prevent cellular activity\nwithin Lockup. In September 2013, we submitted a waiver request to the National\nTelecommunications & Information Administration (NTIA) to allow cellular blocking within the\nLockup area. The NTIA denied this request. NASS will continue to investigate mitigation\nstrategies for limiting cellular access. This will be incorporated into the annual review process.\n\nWe installed lockers to hold personal items that are prohibited in Lockup. We recently revised\nsecurity procedures to enter Lockup. We have installed and are using electronic security\ndetectors through which everyone entering Lockup must pass as one line of defense against\nelectronic devices such as mobile phones. Federal Protective Service (FPS) guards have a revised\nprotocol to check bags and identity. NASS has taken action to ensure that FPS guards have and\nfollow updated and clear security procedures in regards to identity checks and documentation.\n\nNASS is conducting monthly audits and developing procedures to remove terminated or retired\nemployees from the key card access database and to maintain accurate documentation of\nseparation checklists. NASS has reviewed records to ensure that all current employees and\ncontractors have current confidentiality forms on file, and we will continue a periodic review.\nWe are documenting a process to ensure employees sign confidentiality forms upon hiring and at\ntheir annual performance reviews.\n\nWe are also actively observing the security processes at the Lockup entrance and monitoring the\nactivities of reporters in the Lockup press room. Reporters have been instructed again on\nprocedures allowed in the room and penalties of prohibited actions.\n\nOur responses to the seven recommendations relating to NASS Lockup security are:\n\n6. NASS has purchased, and with each Lockup is now using, an electronic screening device that\nall Lockup entrants must pass through to prevent wireless and cellular devices within Lockup.\nThis device will screen for cellular and wireless devices. NASS submitted a waiver request to the\nNational Telecommunications & Information Administration in September 2013 to allow cellular\nblocking within the Lockup area. This request was denied. NASS will continue to investigate\nmitigation strategies for limiting cellular access. This review will be incorporated into the\nannual review process.\n\n7. By June 1, 2014, we will revise the current FPS contract, to include detailed guard\nresponsibilities, in accordance with NASS procedures, as well as recourse if performance is not\nadequate.\n\n8. NASS has already instituted a procedure to co-locate a NASS employee with FPS personnel\nto ensure duties are carried out in accordance with contractual agreements. NASS will continue\nto enhance these procedures and monitor FPS personnel when a new contract is signed.\n\n\n                                            Page 3 of 5\n\x0cGil H. Harden\nAssistant Inspector General for Audit\n\n\n\n9. NASS will implement a process to ensure NASS employees and contractors update and sign\nconfidentiality forms. This process will coincide with the annual performance review process.\n\n10. NASS has developed procedures and will continue to conduct monthly audits to assure that\nterminated or retired employees are removed from the key card access database and that we\nmaintain accurate documentation of separation checklists.\n\n11. By October 1, 2014, NASS will revise Lockup procedures to include more specific guidance\non the steps to take in the event of a disaster during Lockup, and the locations to which staff,\npress, and visitors will be moved. NASS will train its own staff and media representatives on\ndisaster recovery procedures.\n\n12. By June 1, 2014, NASS will update the statement of work for the FPS guards to increase the\nlevel of Lockup security, in line with the recommendations.\n\nIT SECURITY- Recommendations 13-17\n\nIn the past two years, NASS has implemented many improvements to the server room security,\naccess, inventory and pre-Lockup checklist. Clocks were installed in the server room in 2013 to\nassist with timely report dissemination. Our practices will be included in a checklist for the\ninternal reviewers to examine how NASS complies with the physical and environmental controls\nin the National Institute of Standards and Technology (NIST) Special Publication 800-53.\n\nNASS has developed and is using pre-Lockup checklist procedures to verify that electrical\nequipment and server rooms are locked at all times. We are also conducting and maintaining a\ncomprehensive inventory of all equipment in the Lockup server room. This inventory list is\nchecked against equipment in the room as part of the pre-Lockup checklist.\n\nSince the OIG identified that NASS was using pre-release data to test its Estimation and\nPublication systems, NASS has successfully completed re-accreditation of the NASS Estimation\nand Publication Major Application. It achieved authority to operate (ATO) on September 6,\n2013.\n\nOur responses to the five recommendations relating to IT security are:\n\n13. As part of the internal review process in Recommendation 2, NASS will by October 1, 2014,\ninclude a checklist for reviewers to examine how NASS complies with the physical and\nenvironmental controls in the National Institute of Standards and Technology (NIST) Special\nPublication 800-53.\n\n14. NASS has developed, is executing, and will continue to execute a pre-Lockup checklist to\ninclude verifying that electrical equipment and server rooms are locked at all times.\n\n\n\n\n                                           Page 4 of 5\n\x0cGil H. Harden\nAssistant Inspector General for Audit\n\n15. NASS now maintains a comprehensive inventory of all equipment in the Lockup server\nroom. This inventory list will be checked against equipment in the room as part of the pre-\nLockup checklist.\n\n16. NASS only uses test data or data that have already been released when testing a system.\n\n17. By October 1, 2014, and in cooperation with the Department, NASS will review the IT\nsystems boundaries and make adjustments where necessary as part of the assessment and\naccreditation process.\n\nThank you once again for the opportunity to provide these comments.\n\n\n\n\n                                           Page 5 of 5\n\x0cTo learn more about OIG, visit our website at\nwww.usda.gov/oig/index.htm\nHow To Report Suspected Wrongdoing in USDA Programs\n\nFraud, Waste and Abuse\ne-mail: USDA.HOTLINE@oig.usda.gov\nphone: 800-424-9121\nfax: 202-690-2474\n\nBribes or Gratuities\n202-720-7257 (24 hours a day)\n\n\n\n\nThe U.S. Department of Agriculture (USDA) prohibits discrimination in all of its programs and activities on\nthe basis of race, color, national origin, age, disability, and where applicable, sex (including gender identity\nand expression), marital status, familial status, parental status, religion, sexual orientation, political beliefs,\ngenetic information, reprisal, or because all or part of an individual\xe2\x80\x99s income is derived from any public\nassistance program. (Not all prohibited bases apply to all programs.) Persons with disabilities who require\nalternative means for communication of program information (Braille, large print, audiotape, etc.) should\ncontact USDA\xe2\x80\x99s TARGET Center at (202) 720-2600 (voice and TDD).\n\nTo file a complaint of discrimination, write to USDA, Assistant Secretary for Civil Rights, Office of the\nAssistant Secretary for Civil Rights, 1400 Independence Avenue, S.W., Stop 9410, Washington, DC 20250\xc2\xad\n9410, or call toll-free at (866) 632-9992 (English) or (800) 877-8339 (TDD) or (866) 377-8642 (English\nFederal-relay) or (800) 845-6136 (Spanish Federal relay).USDA is an equal opportunity provider and employer.\n\x0c'